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PREFACE 

This report sets forth the statutes, regulations, and Executive Branch directives that define and 
govern access to Sensitive But Unclassified (SBU) information. Although there is growing 
concern in the post 9/1 1 world that guidelines for the protection of SBU (often referred to as 
Sensitive Homeland Security Information) are needed, a uniform legal definition or set of 
procedures applicable to all Federal government agencies does not now exist. Regulations are 
reported to be under development in the Office of Management and Budget and the Department 
of Homeland Security. 

The dissemination of SBU technology is regulated through export controls administered by the 
Departments of Commerce and State. This report outlines the general applicability of these 
controls, as well as their applicability to missile and nuclear technology. This report also 
delineates regulations and directives applicable to the Department of Defense, Department of 
Energy, Federal Aviation Administration (and Transportation Security Administration), Nuclear 
Regulatory Commission, and Department of State. 
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PART I - FEDERAL LAWS AND REGULATIONS 

EXECUTIVE BRANCH DIRECTIVES REGARDING CLASSIFICATION AND 
PROTECTION OF FEDERAL INFORMATION 

Executive Orders 

On April 17, 1995 President William J. Clinton issued Executive Order (EO) 12958, which 
“prescribes a uniform system for classifying, safeguarding, and declassifying national security 
information.” (60 Fed.Reg. 19825, April 29, 1995) Section 1.3 establishes classification levels, 
and Section 1.5 classification categories (types of information eligible for classification). Section 
1.8 (b) prohibits the designation of “classified” to be applied to “basic scientific research 
information not clearly related to the national security.” Technical amendments were made by 
EO 12972 (60 Fed.Reg.48863, September 18, 1995), and EO 13142 (64 Fed.Reg. 66089, 
November 23, 1999). 

On March 25, 2003, President George W. Bush issued EO 13292 (68 Fed.Reg. 153 15, March 28, 
2003), amending EO 12958 to “prescribe a uniform system for classifying, safeguarding, and 
declassifying national security information, including information relating to defense against 
transnational terrorism.” Classification levels (renumbered Section 1.2) remain the same. The list 
of classification categories (renumbered Section 1.4) redefines “scientific, technological, or 
economic matters relating to the national security” to include “defense against transnational 
terrorism,” and expands a previous category to now cover “vulnerabilities or capabilities of 
systems, installations, infrastructures, projects, plans, or protection services relating to the 
national security, which includes defense against transnational terrorism .” (New language in 
italics.) The text of Section 1.8 (b) is unchanged, but is renumbered Section 1.7 (b). 

White House Memoranda 

On March 19, 2002, White House Chief of Staff Andrew H. Card, Jr. issued a memorandum to 
the heads of all executive departments and agencies regarding the safeguarding and protection of 
sensitive homeland security information. The memo directs recipients to “undertake an 
immediate reexamination of current measures for identifying and safeguarding” Government 
information in their respective department or agency “regarding weapons of mass destruction, as 
well as other information that could be misused to harm the security of our nation and the safety 
of our people.” Agencies are advised that for assistance in applying exemptions of the Freedom 
of Information Act (FOIA) to sensitive but unclassified information, they should contact the 
Justice Department’s Office of Information and Privacy, or consult OIP’s FOIA Web site at 
http://www.usdoi.gov/04foia/index/html/ . 

Pursuant to the White House memo, a joint memorandum was issued by the Acting Director of 
the Information Security Oversight Office and the Co-Directors of the Justice Department’s 
Office of Information and Privacy providing guidance to all departments and agencies as to 
“safeguarding information regarding weapons of mass destruction and other sensitive records 
related to homeland security.” The memo states that “in addition to information that could 
reasonably be expected to assist in the development or use of weapons of mass destruction,” the 
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classification of which is described elsewhere in the memo, “departments and agencies maintain 
and control sensitive information related to America’s homeland security that might not meet 
one or more of the standards for classification set forth ... in Executive Order 12958. The need to 
protect such sensitive information from inappropriate disclosure should be carefully considered, 
on a case-by-case basis, together with the benefits that result from the open and efficient 
exchange of scientific, technical, and like information.” Agencies are advised to process any 
FOIA request for records containing “sensitive but unclassified information related to America’s 
homeland security” in accordance with the Attorney General’s October 12, 2001 FOIA 
Memorandum, “by giving full and careful consideration to all applicable FOIA exemptions.” 

The July 3, 2003 FOIA Post (issued by OIP) references a June 25, 2003 FOIA Officers 
conference at which the above memoranda were described as “placing primary emphasis on the 
safeguarding of information, where appropriate due to its particular sensitivity rather than on the 
basis of any catch-all label such as ‘sensitive but unclassified information.’” 

The above memoranda were posted by the Justice Department on March 21, 2002 at 
http ://w w w . usdoj . go v/oip/foiapost/2002foiapost 1 0.htm . 

Presidential and National Security Directives 

Presidential Directive/NSC 24 

President Jimmy Carter issued PD/NSC-24 on November 16, 1977, establishing a National 
Telecommunications Protection Policy. This policy stipulated that “unclassified information 
transmitted by and between Government agencies and contractors that would be useful to an 
adversary should be protected.” The Secretary of Defense was designated as the Executive Agent 
for communications security (COMSEC) to “protect government-derived unclassified 
information, and the Secretary of Commerce as Executive Agent “for communications protection 
for government-derived unclassified information (excluding that relating to national security).” 

This document can be accessed at the Carter Fibrary Web site: 
http://www.iimmvcarterlibrary.org/documents/pres directive .phtml 

National Security Decision Directive 189 - National Policy on the Transfer of Scientific, 
Technical and Engineering Information 

The Reagan White House issued this directive on September 21, 1985. It states: “It is the policy 
of this Administration that, to the maximum extent possible, the products of fundamental 
research remain unrestricted.” Fundamental research is defined as basic and applied, non- 
proprietary or national security research, the results of which are generally published and shared 
broadly within the scientific community. The directive also states as policy that “where the 
national security requires control, the mechanism for control of information generated during 
federally-funded fundamental research in science, technology and engineering at colleges, 
universities and laboratories is classification.” 
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In a November 1, 2001 letter to the Center for Strategic & International Studies, National 
Security Advisor Condoleeza Rice stated that until the Bush Administration completes its review 
of the export control policies that affect basic research, “the policy on the transfer of scientific, 
technical, and engineering information set forth in NSDD-189 shall remain in effect, and we will 
ensure that this policy is followed.” In an outline of SBU definitions prepared by the Association 
of American Universities in February 2003, and posted on the Michigan State University Web 
site, it was reported that Dr. Rice’s position was reaffirmed by White House Office of Science 
and Technology Policy Director Marburger in a talk at the National Academy of Sciences on 
January 9, 2003. 1 In a May 12, 2003 memorandum to all department heads, Energy Secretary 
Spencer Abraham recommended the reissuance of NSDD-189, citing Dr. Rice’s letter as 
confirmation that “unless a legal basis exists to control basic research (either by classification or 
some other means), it shall not be controlled.” 

National Telecommunications and Information Systems Security Policy (NTISSP) No. 2 - 
National Policy on Protection of Sensitive, but Unclassified Information in Federal 
Government Telecommunications and Automated Information Systems 

This policy directive was issued by National Security Adviser John Poindexter on October 29, 
1986, and five months later rescinded by National Security Adviser Frank Carlucci. According to 
the House Committee considering legislation that later became the Computer Security Act of 
1987 (P.L. 100-235), this directive is significant because it “added a new ‘sensitive but 
unclassified’ category of Federal information, setting new classification criteria for information 
formerly unclassified. It would not only have affected managers, users, and programmers of 
information systems within the Federal Government, but there was concern that it could have 
been extended to private sector contractors of the Federal Government as well, potentially 
restricting the type of information and data released.” 2 

The text of this directive is contained in Appendix B to Defending Secrets, Sharing Data: New 
Locks and Keys for Electronic Information, OTA-CIT-310 (Washington, DC: U.S. Government 
Printing Office, 1987). 

National Security Decision Directive 145 - National Policy on Telecommunications and 
Automated Information Systems Security 

This directive, signed by President Reagan on September 17, 1984, “establishes initial objectives 
of policies, and an organizational structure to guide the conduct of national activities directed 
toward safeguarding systems which process or communicate sensitive information from hostile 
exploitation.” In support of the objectives enumerated, a policy is established whereby “systems 
handling sensitive, but unclassified, government or government-derived information, the loss of 
which could adversely affect the national security interest, shall be protected in proportion to the 
threat of exploitation and the associated potential damage to the national security.” 



1 http://www.msu.edu/unit/vprgs/exportregs.htm 

2 The two House committee reports issued pursuant to H.R. 145 (which became P.L. 100-235) - H.Rept. No. 100- 
153, part 1 and part 2 - provide extensive background information on the controversy surrounding NTISSP No.2, as 
well as the testimony the committees received regarding NSDD-145. 
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The directive establishes a Cabinet-level Systems Steering Group, which will review and 
evaluate the security status of telecommunications and automated information systems that 
handle “sensitive government or government-derived information,” and “identify categories of 
sensitive non-government information, the loss of which could adversely affect the national 
security interest.” The Group will also recommend steps to protect this information. 

A 1993 GAO report on communications privacy attributes the authorship of this directive to the 
Department of Defense. In 1985 testimony before Congress, GAO raised concern that the 
directive “could significantly affect the management of systems by civil agencies and 
commercial interests” because it failed to define the types of information included in the new 
SBU category. 3 

NSDD-145 can be accessed at http://www.fas.org/irp/offdocs/nsddl45.htm . 

National Security Directive 42 - National Policy for the Security of National Security 
Telecommunications and Information Systems 

This directive was issued by President George H.W. Bush on July 5, 1990. It “establishes initial 
objectives, policies, and an organizational structure to guide the conduct of activities to secure 
national security systems from exploitation.” It states as policy that “U.S. Government national 
security systems shall be secured by such means as are necessary to prevent compromise, denial 
or exploitation.” 

This directive also rescinds NSDD-145, “except for ongoing telecommunications protection 
activities mandated by and pursuant to PD-24 and NSDD-145.” 

NSD-42 can be accessed at http : //bu shlibrary . tamu .edu/research/nsd/N S D/N S D % 2042/000 1 .pdf . 

Future Initiatives 

On October 10, 2002, OSTP Director Marburger testified before the House Science Committee 
on the nexus of homeland security and science. 4 He stated that on the subject of sensitive 
information, the Office of Homeland Security had asked the Office of Management and Budget 
“to develop guidance for federal agencies to ensure consistency of treatment of ‘sensitive 
homeland security information’ across the Federal Government and by the recipients of such 
information,” e.g., State and local law enforcement personnel. He also testified that the 
designation Sensitive Homeland Security Information was not a new category of information, 
but rather “the type of information that the government holds today which is not routinely 
released to the general public. The vast majority of government information is and will remain 
publicly accessible.” SHSI, because it is not classified information, would have a designation 
“implemented under existing law and policy, and complements and does not supersede existing 
mechanisms for classification and de-classification of government information.” 



3 U.S. General Accounting Office. Communications Privacy: Federal Policy and Actions, GAO/OSI-94-2, 
November 1993. 

4 Conducting Research During the War on Terrorism: Balancing Openness and Security: Hearing Before the House 
Comm. On Science, 107 th Cong. 26-27 (2002). 
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Director Marburger indicated that the Administration had begun meeting with various public 
interest groups, representatives of State and local government, and the academic community, to 
gamer advice on developing a definition of SHSI. A “guidance document” will be developed by 
the Administration, and published in the Federal Register for comment. 

FEDERAL LAWS APPLICABLE TO ALL GOVERNMENT AGENCIES REGARDING 
SENSITIVE BUT UNCLASSIFIED INFORMATION 

Freedom of Information Act of 1966, as Amended (5 USC 552) 

Attorney General FOIA Memorandum 

On October 12, 2001, Attorney General Ashcroft issued a memorandum to the heads of all 
federal departments and agencies, providing a new statement of Administration policy on the 
Freedom of Information Act. It confirms the Administration’s commitment to protecting 
fundamental values safeguarding our national security, enhancing the effectiveness of our law 
enforcement agencies, protecting sensitive business information, and preserving personal 
privacy.” Agencies are encouraged to “carefully consider the protection” of the values and 
interests enumerated in this memorandum “when making disclosure determinations under the 
FOIA.” Decisions to disclose information protected under the FOIA should be made in 
consultation with the Department of Justice’s Office of Information and Privacy. If any agency 
decides to withhold records, in whole or in part, Justice will defend this decision “unless it lacks 
a sound legal basis or presents an unwarranted risk of adverse impact on the ability of other 
agencies to protect other important records.” 

This memorandum, and other explanatory material, can be accessed at the Justice Department 
Office of Information and Privacy FOIA Post Web site: 
http ://w w w . usdoj . go v/oip/foiapost/200 1 foiapost 1 9 .htm 

Exemptions to FOIA 

The Freedom of Information Act Guide, May 2004, published by the Department of Justice, 
states that the “Freedom of Information Act generally provides that any person has a right, 
enforceable in court, to obtain access to federal agency records, except to the extent that such 
records (or portions of them) are protected from public disclosure by one of nine exemptions or 
by one of three special law enforcement record exclusions.” 5 

Exemption 1 is information classified in the interest of national defense or foreign policy. In the 
FOIA Guide discussion of Exemption 1, federal departments and agencies are advised that in 
light of the greater emphasis (post-9/1 1) “placed on the protection of information that could 
expose the nation’s critical infrastructure, military, government, and citizenry to an increased 
risk of attack,” they should “carefully consider the sensitivity of any information the disclosure 
of which could reasonably be expected to cause national security harm.” This guide also notes 
that categories of homeland-security information like SBU and SHSI have not been classified 



5 http://www.usdoj.gov/oip/foi-act.htm 
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